ceph: run operator with rook user

The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: #8734 Signed-off-by: Sébastien Han <seb@redhat.com>
rook · Sep 28, 2021 · afb49b8 · afb49b8
1 parent 62d66b0
commit afb49b8
Show file tree

Hide file tree

Showing 8 changed files with 26 additions and 1 deletion.
diff --git a/PendingReleaseNotes.md b/PendingReleaseNotes.md
@@ -17,3 +17,4 @@ v1.8...
 
 - The Rook Operator does not use "tini" as an init process. Instead, it uses the "rook" and handles
   signals on its own.
+- The Rook Operator and the toolbox now run under the "rook" user and does not use "root" anymore.
diff --git a/cluster/charts/rook-ceph/templates/deployment.yaml b/cluster/charts/rook-ceph/templates/deployment.yaml
@@ -26,6 +26,10 @@ spec:
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args: ["ceph", "operator"]
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 2016
+          runAsGroup: 2016
         volumeMounts:
         - mountPath: /var/lib/rook
           name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator-openshift.yaml b/cluster/examples/kubernetes/ceph/operator-openshift.yaml
@@ -433,6 +433,10 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/operator.yaml b/cluster/examples/kubernetes/ceph/operator.yaml
@@ -354,6 +354,10 @@ spec:
         - name: rook-ceph-operator
           image: rook/ceph:master
           args: ["ceph", "operator"]
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           volumeMounts:
             - mountPath: /var/lib/rook
               name: rook-config

diff --git a/cluster/examples/kubernetes/ceph/toolbox.yaml b/cluster/examples/kubernetes/ceph/toolbox.yaml
@@ -23,6 +23,10 @@ spec:
           args: ["-m", "-c", "/usr/local/bin/toolbox.sh"]
           imagePullPolicy: IfNotPresent
           tty: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 2016
+            runAsGroup: 2016
           env:
             - name: ROOK_CEPH_USERNAME
               valueFrom:

diff --git a/images/ceph/Dockerfile b/images/ceph/Dockerfile
@@ -20,5 +20,10 @@ COPY rook toolbox.sh set-ceph-debug-level /usr/local/bin/
 COPY ceph-monitoring /etc/ceph-monitoring
 COPY rook-external /etc/rook-external/
 COPY ceph-csv-templates /etc/ceph-csv-templates
+RUN useradd rook -u 2016 # 2016 is the UID of the rook user and also the year of the first commit in the project
+RUN mkdir -p /var/lib/rook /etc/webhook
+RUN chown rook:rook /var/lib/rook /etc/webhook
+RUN chmod 755 /var/lib/rook /etc/webhook
+USER 2016
 ENTRYPOINT ["/usr/local/bin/rook"]
 CMD [""]
diff --git a/pkg/operator/ceph/cr_manager.go b/pkg/operator/ceph/cr_manager.go
@@ -53,7 +53,7 @@ import (
 )
 
 const (
-	certDir = "/etc/webhook"
+	certDir = "/etc/webhook/certs"
 )
 
 var (

diff --git a/pkg/operator/ceph/webhook.go b/pkg/operator/ceph/webhook.go
@@ -59,6 +59,9 @@ func isSecretPresent(ctx context.Context, context *clusterd.Context) (bool, erro
 
 	logger.Infof("admission webhook secret %q found", admissionControllerAppName)
 	for k, data := range s.Data {
+		if err = os.MkdirAll(certDir, 0755); err != nil {
+			return false, errors.Wrapf(err, "failed to create webhook certificate directory %q", certDir)
+		}
 		path := fmt.Sprintf("%s/%s", certDir, k)
 		err := ioutil.WriteFile(path, data, 0400)
 		if err != nil {